CSS 111 - Introduction to Information System Security
Chapter 1, An Introduction to Information Security; Chapter
2, The Need for Security
This lesson introduces the student to concepts about
information systems and information system security. Objectives
important to this lesson:
- Understand that information security affects everyone
- Understand the Information Security Systems Development
- Define business needs for information security
- Differentiating threats from attacks
Our authors like to begin chapters with stories that
illustrate major points. This chapter begins with a few minutes in the
life of a help desk employee whose company is at the start of a bad
day. Read through this short section and ask yourself a few questions.
If you don't have good answers for some of those questions
yet, you are in the right place. We will build up some knowledge that
will help you form good answers to them. We will come back to Amy later.
Having deployed a teaser to get your interest (like the first minute
or so of a TV show), the text makes the classic mistake of abruptly switching
topics and it begins a history lesson. Actually, the authors do not go
back far enough. They state that information security begins with computer
security. Have you ever heard of the Caesar
cipher? It had nothing to do with Your
Show of Shows, and everything to do with information security in
the first century BC. There was information long before there were computers.
Let's indulge the authors, and grant that electronic computers were invented
during World War II. We are treated to a photo of a German Enigma
machine (page 4), but that was mostly a mechanical cipher
device, not an electronic one. The authors' point may be that we did
not need information system security
until we began using information systems.
Okay. Information systems typically evolved in safe environments, but
became less safe as they grew and as their number of users grew.
- 1950s and 60s - Computer systems began as standalone
computers, which were then connected to networks.
- 1970s - Personal computers became affordable, then they
were connected to networks, and networks were connected to networks.
- 1990s - The Internet became accessible to average people
and began to include commerce.
The text continues with a series of attempts to define
security. Let's look at some of their key
- there are several specialized areas of security listed
(Some of these overlap.):
- information security has three
classic characteristics/elements, commonly referred to as CIA:
- confidentiality - information
be accessible to users who have been granted access to it for valid
reasons. Only authorized users can access data if it is protected
properly, and if authorized
users do not violate security policy
- integrity - data/information
may not be changed
except by authorized users or processes. This means that data must be
protected from alteration, deletion, or other changes to its intended
- availability - authorized
users can access
data when they need to do so. Some people
misunderstand this concept. Availability means that proper access
methods are provided only to authorized users, not to everyone.
- the authors throw in a few more characteristics, some of
- accuracy -related
to integrity, but also meaning that it is correct
- authenticity -
meaning that the source is proven and trusted, which is related to
- utility -
information must be good for something, or it is only data, raw and
- possession - a
characteristic that relates to more than just information; unauthorized
possession is theft
The classic CIA concept defines security from the point of
view of the IT Security staff. The text explains that an expansion of
this concept is called by several names, one being the McCumber
Cube. It provides three different perspectives
on security, which should be considered together to make better
security decisions. This does not mean this tool covers all situations,
but we should consider the ones it does cover:
- IT Security perspective:
This is the perspective of the IT security staff. How do we protect the
information, make sure it is not tampered with,
and provide access to those who need it?
- IT Operations perspective:
Storage, Processing, Transmission
This is the perspective of any IT staff who do not work for the
security division. How do we perform the basic IT functions of storing,
transmitting data? Under storage, we should include data collection and
- Business perspective:
Policy, Education, Technology
This is the perspective of managers over the core operations of the
business. How do we make the rules for employees about protecting
educate our staff about protecting it, and safely use the technology we
do our business?
It feels a bit off that the first two bullets above seem to
the primary activities of the respective entities, but the third does
not. All three perspectives relate to IT security, from the point of
view of that entity. Each is different from the others, and each should
be considered a necessary aspect of the security process.
The text lists six components of an information system.
should remind ourselves again that people used
information before computers were invented, and some people do not need
a computer to do their primary job, but the focus of this text is about
computer information systems, so that's what the authors spend the most
time on. The six elements of computer information systems:
of these elements need protection, partly because each can
focus of an attack. In some cases, we need protection from
elements. The text discusses the fact that attackers often begin their
attack by gathering information from unsuspecting staff. This method is
called social engineering. It
takes many forms, but usually the attacker begins by asking politely
for some information which is then freely given.
Some other terms may be helpful. Some are defined in the text,
some are not.
- asset - something that we care about,
typically information related
- threat - a potential form of loss or
damage; many threats are only potential threats
- threat agent - a vector for the threat, a
way for the threat to occur; could be a person, an event, or a program
running an attack
- attack - an act
that uses a vulnerability to do damage of some sort to a system
- incident - an event
that damages a system in some way; note that an incident may or may not
be an attack; an incident does not require an attacker
- object of an attack
- an asset that is being attacked
- subject of an
attack - a threat agent that is actually attacking us
- risk - the probability of a loss
- vulnerability - a weak spot where an
attack is more likely to succeed
- exposure - when a
vulnerability is known, such as when Microsoft announces a patch for a
- exploit - a method of attack
- control, safeguard, countermeasure - could be software,
hardware, or a policy that serves to reduce the probability of a
The text begins a discussion of a Systems Development Life Cycle (SDLC).
This is one of many methods of developing an information system. It is
a classic method that you should know about. Like most such methods, it
is a cycle because any system
should be reviewed periodically to see what needs to be changed or
updated. In the diagram on page 22, the phases are shown as a series of descending steps (like a staircase)
to emphasize that this version is also a waterfall model: the output of each step serves as an input for the next step. The
steps/phases listed in the text:
- Investigation -
What is the problem? What is the customer asking for? Can we do it?
- Analysis - Can we
design a system to solve the problem?
- Logical design -
What must the system do? What will be the necessary parts of it?
- Physical design -
How will the system be built, and how will it work?
- Implementation -
Write the programs, buy and install the hardware, load the programs,
make it work, train the users
- Maintenance and change
- What needs to be changed, fixed, or uppdatted?
One aspect that the diagram on page 22 does not show is that
always possible to detect a problem in any phase that requires backing
up to an earlier phase for correction. When this is done, the flow
continues from the phase where the correction was made.
This general plan also works for developing a security system.
discusses the Security Systems
Development Life Cycle, which can be abbreviated as SecSDLC. This is a variation of the
standard SDLC. An SDLC can be
triggered by a project or by changes in plans or events, events being
external causes for changes in a system. Projects are often triggered
by security breaches. The authors observe that it is much better if
security measures are designed into a system when it is created. Adding
security afterward is often messy, time consuming, and unpopular with
the users. In fact, any security measure will meet with some
displeasure from users. The text tells us that we must try to strike a
balance between a system that any user can ruin, and a system that is
so secure no one can use it.
When security is made part of a system, it should comply with
the organization's security policies,
the general and specific rules about security in that workplace. In
some cases, the system will cause the organization to create security
policies to cover it. Security policies should be created by a
cooperative effort from committees that are formed by three parts of
- IT managers and professionals
- IT security managers and professionals
- Business managers and professionals
The first two groups look like the same people, but they are
- IT staff are responsible for meeting the IT
needs of the business. It might be better to call these people
the IT Operations staff, although that phrase may
have a different specific definition in some organizations.
- IT Security staff are responsible for protecting
- Business staff are responsible for the core
interests of the business.
The second chapter begins with a less illustrative story. It
tells us that the example company survived their problem from the first
chapter, but it does not tell us how they did it. The purpose of the
introductory story seems to be to remind us that information systems
need protection for all six of their elements, named in chapter 1.
This is said in a slightly different way on page 41, in the
four statements about what value an organization gets from information
- Protecting an organization's ability to function. The business needs to
operate to stay in business.
- Enabling safe operation of an organizations software.
Email, messaging applications, office applications, data and reporting
applications all need to work. Ask me about sending files that don't
- Protecting the organization's data.
Protection from theft, corruption, errors, and more. Note that the text
differentiates between protection of data in motion and data at rest.
These functions are likely to be done by different parts of the
- Protecting the organization's technology assets. Most businesses rely on some
kind of technology, especially their Internet presences. Compromised
technology leads to loss of trust and loss of revenue.
The text begins a general discussion about threats on page 42.
It goes on to quote Sun Tzu
(the third quote on the linked page), and to use his observation that
you must know yourself and your enemy. The
quote is from the end of chapter 3 of The
Art of War. The observation is valid. We must know something
about ourselves, our assets, and our potential attackers to prepare for
and to survive their attacks.
The text presents a list of fourteen kinds of threats on page
44. The world changes daily, so I will not tell you that these fourteen
categories are all you will ever encounter. They are, however, a good
place to start. They seem to cover most of the stories you find on
security news web sites.
- compromised intellectual property
- software attack
- reduced quality of service
- espionage and trespass
- force of nature
- human error
- missing, inadequate, or incomplete data
- missing, inadequate, or incomplete controls
- sabotage or vandalism
- hardware failure or error
- software failure or error
The text says that losses are down and security is better.
Tell that to Target, or any other store whose data was compromised in
2013. Average statistics about losses being down are not comforting to
someone who has suffered a loss.
The text proceeds to discuss each of the bullet points above
for several pages. We will discuss some of the more interesting ones in
class. If you are not familiar with the material in this section, go
over it before our discussion. Some of the material may be arguable.
of intellectual property does not sound like something you get
the morning with a plan to do. If we call it bootlegging software, it
may sound more familiar. As 2014 began, there was an ongoing story in
the news about retail
stores being hacked by people who stole
customers' name and credit card information. One of the interesting
things about this story relates to this topic: a company that
contracted with one of the retailers was using a free version of an
anti-virus program. That particular program is available for free to
individuals, but not to commercial entities, which means that whoever
installed the program on their computers violated the intellectual
property rights of that software publisher. The text describes a case
in which a community college was found in violation of software
licensing rules, and had to pay fines for doing so. In a corporate
environment, it is not uncommon to have the ability to install software
on as many machines as have, but care must be taken to have the correct
number of licenses to avoid this situation.
Software attacks take
many forms. The text discusses viruses and worms, which are similar in
that they both cause harm. A virus typically requires
a carrier to infect a system,
like an email, an instant message, or a program that the user runs. A
major difference between worms
and viruses: once it is started, a worm
can replicate itself across connected computer systems by itself. It
does not need a carrier. If a worm-infected computer is on a network,
the worm can attack any running computer connected to that network: it
does not require cooperation from the user. Worms are more dangerous
due to their self driven nature. Once a worm is detected in a system,
each device on the network must be scanned for it, cleaned if
necessary, and prevented from accessing the network until this is done.
Trojan horse programs are named for the myth of a wooden horse
that was used to smuggle Greek soldiers inside the walls of Troy. A
program of this sort has two aspects: what we are told it does, and
what it actually does. In some cases, Trojans may do
what they say, but they also have a hidden malicious purpose which is
what puts them in this category. A classic ploy used by Trojans is to
pretend not to be a program at all. A file may have a .exe extension,
but the characters .docx may occur in the name immediately before it.
If a Windows computer is using the default (idiotic!)
configuration, the actual .exe extension will be hidden
from the user, and the user may think it is only a Word document. I
always tell my computers to show me the entire file name. It's lazy and
dangerous to do otherwise.
Degradation of service
can happen if a system is attacked and not taken down but kept from
running well. If an attacker keeps the target system's web servers too
busy to conduct business as usual, customers will tire of the wait and
shop elsewhere. That, by the way, is if the attacker is being nice. If
the attacker is more serious, the attack becomes a Denial of Service (DoS) attack, whose goal is to keep
the system so busy that no real customers can use it.
The text discusses some categories used to
- phreaker - an "ancient" category, it
refers to hackers who used tone or line frequency devices to hack
telephone systems in the 1970s and earlier
- hackers, expert hackers,
elite hackers - one of the buzzwords of
computer system geeks, hacker
can mean anything; it is generally accepted to mean someone with more
skill than an average user, may be a white hat (good guy) or black hat
(bad guy). A hacker may break into a system for a thrill, to show off,
or to cause some kind of damage.
- script kiddies, novice hackers
- attackers who use hacking tools that ttheyy don't really understand
- spies - computer attackers who are looking
for specific data from specific systems
- employees - Computer security includes the
concept of protecting data from people who aren't authorized to access
it. What about protecting it from authorized users who want to give or
sell it to someone else? What about authorized users who give out their
password because someone asks for it? What about users who are no good
at protecting their secrets?
- cybercriminals - The text does not discuss
this category in this chapter. The bottom line is that they are after
some financial gain. This could be data they can sell, actual fund
transfers, or theft of financial instruments.
- cyberterrorists - A cyberterrorist is
defined as a system attacker whose motivations are ideological.
The authors spend a couple of pages discussing forces of nature, most of which are
self explanatory. A couple of them seem out of place.
- fire - If your business is located in the
hills of California, wildfires seem to be a yearly event, but for most
of the world a fire is not an expected natural occurrence. Keeping your
computer system cool, so that a fire will not ignite, is your
most effective form of firefighting: don't let it start.
- electrostatic discharge (ESD),
static electricity - This one is more
natural, but still requires some human action to happen. Some numbers
from a previous text may help you understand the situation:
- A human can't feel a static discharge
until it is 3,000 volts or more.
- Normal motion, like moving a chair or a
foot can generate 1,000 volts.
- Simply walking across a carpeted area
can generate 1,500 to 35,000 volts.
- Handling a plastic envelope can
generate 600 to 7,000 volts.
- Picking up a plastic bag can generate 1,200
to 20,000 volts.
- Damage can be done to computer parts
with 20 to 30 volts. The damage from low voltage may
not cause immediate failure so you may never know the cause of the
failure that eventually happens.
Human error is
discussed as being a major cause of problems that we can often prevent.
Many times, errors are caused by carelessness, but they can also be
caused by lack of training, lack of experience, and invalid
assumptions. Another way of saying this is the user does not know how
the system works, the user has no experience with the (new) system, or
the user is wrong about how the system works. Training and practice can
overcome these problems. Errors can also be caused by users being too
busy or too kind or trusting to follow proper secure procedures.
Moving ahead, the text discusses several types of
attacks that occur often enough that an informed IT person
should be aware of them:
- malicious code, malware
- we have already discussed viruses, worms, and Trojan horses
- hoaxes - this topic actually
has two variants: one is a time waster
and the other is more evil
First, sometimes an email goes
around that asks the reader to forward the message to everyone they
know. The message may be a political
rant, a plea for support, or
a warning about some threat.
The thing those email messages have in common is that they are all false.
They only serve to cause fear, uncertainty, and doubt (FUD) which lowers
productivity and clogs mail servers.
The second type is far less
common: the sender warns the
reader about a virus or a vulnerability that must be fixed by clicking
the attachment that came with
the email, or by following a link
in the email. In either case, if the user follows the instruction, that
will be the trigger to infect the computer. I received three instances
of a more recent variation, the funeral
announcement virus, last month. Follow the link to an explanation
on the Snopes web site, and don't open it if you get one.
- The text talks about three variations on guessing a user's password.
If the attacker can access the Security
Account Manager data file on a workstation or server (Windows),
that's helpful because it contains the encrypted passwords for known
users. Those encrypted passwords can be compared to tables of known
words and their encrypted versions. If there is a match, that password
is now known. For obvious reasons, we restrict access to this file.
The Brute Force method is simple,
but tedious. The attacker tries to log in to a system with every possible
combination of characters. This can take a long time, especially if
the system restricts the number of times a user can try to log in unsuccessfully.
The Dictionary attack is shorter than the brute force
method. It only uses words from a file (the dictionary) as possible
passwords, working on the assumption that a user will probably use a
real word as a password. Complexity rules, such as requiring a password
to have upper and lower case letters, numerals, and symbols will make
this kind of attack more time to find a result.
- denial of service - in a Denial
of Service (DoS) attack, multiple computers
are typically used to tie up all available connections
to a system, preventing real users from making a connection or receiving
a service. When a botnet is used, the attack can be
called a Distributed Denial of Service (DDoS)
attack. A botnet is a network
of computers that have been infected, turned into robots
(aka zombies), that can be used for any of several
kinds of attacks.
- A back door is often a separate account that is used
in case of emergency to get access to a system, usually as a user with
administrator privileges. The text says that this is an account that
is set up without the administrator's knowledge or permission. Yes,
an attacker would do that, but the administrator might set up his own
back door so that he could get into the system in case it is hacked.
- spoofing attacks involve pretending
to be someone else. Email spoofing
involves sending email that looks like it is from a known or legitimate
source. IP spoofing make it
look like traffic is coming from a unit on a local network, or from
a unit on a list of trusted sources.
- man-in-the-middle attack - Students should be able
to find information about this kind of attack on voting machines. A
passive attack intercepts messages, saves and transmits
them to an attacker, and passes the messages on to the intended receiver
right away. An active attack would intercept a message,
change it, and then send the changed version along. You can see how
this kind of attack on election data would have effective results.
- phishing is the solicitation
of personal or company information, typically through an official looking
email. Your text includes phone call probes in this category, but most
people would consider that to be social engineering. Some variations
- spear phishing - sending
the email to specific people,
customizing it to look like
a message sent to them by an entity with some of their personal information
- pharming - sending an email
that takes the person directly to a web site (the phisher's site)
instead of asking the reader to follow a link
- Google phishing - the phisher
sets up a fake search engine that will send people to the phishing
web site on specific searches (presumably it returns real search results
on searches that would not lead to a page the phisher has prepared)
- social engineering is simply
the users of a system like a con artist. Think of Leonardo DiCaprio
Me If You Can, interviewing an airline official to get the information
he needed to impersonate a pilot. In the same way, a hacker can ask
people for account information and get it because they often put no
effort in keeping the information secret. It is probably true that people
are the weakest link in any security chain. The text mentions shoulder
surfing, watching a user type to learn ID, password, and other
useful information. This is also social engineering, and so is paying
attention to what people do. A classic example is tailgating,
following an authorized user through a door that requires you to scan
an ID to pass through it. The hacker in question has his hands full
of briefcase, coffee cup, keys, and a box of doughnuts. He smiles and
asks for help getting through the door. People usually oblige that request.
Around holidays, presents are also a good ruse, as well as anything
else allowed in the office, like a potted plant, or a bouquet of flowers.
Anything to make you look like a nice person whose hands are too full
to use your own ID to open the door.
The chapter concludes with a discussion about developing
software with security in mind.The student learning objectives do not
address this section of the chapter.